Skip to Content

Cisco ACL Guide

Block IPs, Ports & YouTube
Cisco ACL Guide

1. Block a Specific IP

To block traffic from 192.168.1.100:

access-list 100 deny ip host 192.168.1.100 any
access-list 100 permit ip any any

Apply to an interface:

interface GigabitEthernet0/0
 ip access-group 100 in

2. Block a Port (e.g., HTTP 80)

To block port 80 for all hosts:

access-list 110 deny tcp any any eq 80
access-list 110 permit ip any any

Apply with:

interface GigabitEthernet0/1
 ip access-group 110 out

3. Allow SSH (Port 22) Only from a Trusted IP

Block SSH for all except 10.0.0.5:

access-list 120 permit tcp host 10.0.0.5 any eq 22
access-list 120 deny tcp any any eq 22
access-list 120 permit ip any any

Apply inbound on the SSH interface.

4. Block YouTube (Using DNS & IP Ranges)

Method 1: Block YouTube DNS

access-list 130 deny udp any any eq 53
access-list 130 permit ip any any

(Not foolproof, as users can use IPs directly.)

Method 2: Block Known YouTube IP Ranges

access-list 140 deny tcp any 172.217.0.0 0.0.255.255
access-list 140 deny udp any 172.217.0.0 0.0.255.255
access-list 140 permit ip any any

Final Notes

  • Standard ACLs (1-99) filter based on source IP.
  • Extended ACLs (100-199) filter IP, port, protocol.
  • Always add a permit any at the end (ACLs have an implicit deny all).
  • Use show access-list to verify rules.

Apply ACLs inbound (in) or outbound (out) as needed.


in CCNA
# CCNA
Share this post
Tags
Sign in to leave a comment